4. $3bn+ investment
in cloud infrastructure
Dark Fiber between
hubs with multiple
international
edge points
ISO27001, EU Model
Clauses, HIPPA, FISMA
DC, physical, software Benchmark setting
Power Usage
Effectiveness (PUE)
5. SECURITY
MANAGEMENT
NETWORK PERIMETER
INTERNAL NETWORK
HOST
APPLICATION
DATA
USER
FACILITY
Threat and vulnerability management, monitoring, and response
Edge routers, intrusion detection, vulnerability scanning
Dual-factor authentication, intrusion detection, vulnerability
scanning
Access control and monitoring, anti-malware, patch and
configuration management
Secure engineering (SDL), access control and monitoring, anti-
malware
Access control and monitoring, file/data integrity
Account management, training and awareness, screening
Physical controls, video surveillance, access control
6. Office365.com
Our surface area is too big/partitioned to manage sanely
Service management is largely done via our
Datacenter Service Fabric
North America 1 North America n Europe 1
DATACENTER
AUTOMATION
7. Data
Driven
SecureAutomated
Big Data
External Signals
System Signals
Access
Approval
Auditing
Compliance
Changes
Safety
Orchestration
Repair
We simplify by focusing all our
work along the three pillars—these
work in tandem to create a great
service fabric
Allows us to create a virtuous
automation system that is SAFE,
DATA DRIVEN while being AGILE at
very high scale
Machine Learning
Editor's Notes
Defense in depth is a best practice across the industry, and it's one that we take seriously.
When we do deploy the software into data centers we look at the controls that we have to apply and every single part of the stack, be it the physical controls to prevent people getting access to equipment, to encrypting data over the network, to locking down the hosts, installing anti-virus software, making sure that they're patched and kept up to date, or whether it's maintaining the applications themselves and security within the applications.
Having a rich set of controls and defense in-depth strategy ensures that should any one area fail for whatever reason there are compensating controls in other areas to maintain our customer security and privacy at all times.
Security is an ongoing effort that combines experienced and qualified personnel; software and hardware technologies; and robust processes to design, build, deploy, operate, and support the service. Security must be vigilantly maintained, regularly enhanced, and routinely verified through testing.
As you can see from the slide, we have a multidimensional approach to securing our online services. It starts in our facilities where we have robust physical security controls, including video surveillance in all of our facilities, and as you move up the stack, up the slide into our service, you can see key controls like two-factor authentication for all the folks that access our services. And then as you move towards the access control monitoring, file data integrity, you can see that we think about security both in the facility, in the infrastructure, and in the application.
Example of control domains to discuss:
Vulnerability Management- Multiple layers of automatically updated anti-virus protection is utilized to protect malicious code from entering the environment. Intrusion detection and prevention systems are in place to detect, alert and where applicable prevent anomalous activities or deviations from a baseline configuration that may be indicative of a suspected compromise.
Training and Awareness-Formal training for all engineers, test, and program managers including design and coding standards .
Physical Access- Restrictions by job function exist so that only essential personnel are authorized to physically access customers’ hardware. Authorization requires:
Badge, and card reader restricted access
Biometric scanners
On-premises security officers
Continuous video surveillance
Controls across our framework are ranked and marked for review though a program we call cycle testing